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Distributed  System  Security  via  Logical  Frameworks 

ONR  N000 1 4-04-1-07 24 
Final  Report 

Frank  Pfenning,  Carnegie  Mellon  University 

Michael  Reiter,  Carnegie  Mellon  University 
Lujo  Bauer,  Carnegie  Mellon  University 

1  Objectives  and  Approach 

We  conducted  a  research  program  with  the  goal  of  advancing  security  in  distributed  systems  via  the 
application  of  logical  frameworks.  Our  work  targeted  multiple  facets  of  the  life-cycle  of  a  distributed 
system,  ranging  from  design  through  execution,  and  from  sound  mechanism  design  through  sound 
policy  enforcement.  It  consisted  of  three  major  interconnected  thrusts. 

First,  we  investigated  how  to  exploit  existing  technologies  to  mechanically  reason  about  security 
policies  as  specified  in  a  logical  framework.  This  closed  an  important  security  gap,  helping  users 
and  managers  understand  the  consequences  of  their  policies. 

Second,  we  demonstrated  the  use  of  logical  frameworks  for  encoding  and  enforcing  access-control 
policies  in  a  practical  distributed  system.  Access-control  mechanisms  today,  whether  it  be  physical 
keys  for  doors  or  password  protection  for  computer  accounts,  reflect  access-control  policies  that  are 
explicit  only  in  the  manual  procedures  of  the  organization  that  manages  these  resources.  As  such, 
any  change  in  policy,  e.g.,  creating  a  new  computer  account,  or  permitting  a  person  to  unlock  a 
door,  is  effected  through  a  manual  process.  We  utilized  logical  frameworks  to  encode  organizational 
policies  within  computer  systems,  thereby  harnessing  the  power  of  these  frameworks  to  support  the 
management  and  enforcement  of  access-control  policy,  and  gaining  security  and  flexibility  by  doing 
so.  We  demonstrated  this  capability  in  a  ubiquitous  computing  test-bed  at  Carnegie  Mellon. 

Third,  we  developed  and  implemented  a  framework  for  the  specification  of  distributed  and 
concurrent  systems  and  their  implementations,  specifically  targeting  our  test-bad  architecture.  This 
work  extends  a  previous  collaboration  between  NRL  and  Carnegie  Mellon  that  resulted  in  the  design 
of  CLF,  an  innovative  logical  language  for  the  specification  of  concurrent  systems.  CLF  incorporates 
ideas  from  logical  frameworks,  linear  logic,  and  monads  into  an  expressive  meta-language. 

Prior  work  was  supported  by  the  Office  of  Naval  Research  (ONR)  Grant  N00173-00-C-2086  - 
Efficient  Logics  for  Reasoning  about  Security  Protocols  and  Their  Implementations.  CLF  is  now 
fully  specified  and  has  been  successfully  validated  on  mainstream  concurrency  formalisms  (e.g.,  Petri 
nets,  the  pi-calculus),  advanced  concurrent  programming  languages  (Concurrent  ML),  and  security 
protocol  specification  languages  (MSR).  In  the  context  of  the  present  contract,  we  facilitated  the 
transition  of  CLF  from  a  foundational  language  into  an  implemented  tool  that  can  be  applied  to 
the  specification  of  complex  distributed  and  concurrent  systems  through  the  LolliMon  prototype. 

2  Technical  Accomplishments 

The  research  carried  out  under  this  grant  accomplished  the  stated  objectives.  We  will  line  them 
up  with  the  threads  of  inquiry  listed  above.  An  overview  of  the  project  and  accomplishments  in 
the  middle  of  the  grant  period  can  be  found  in  [BPR07]. 
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Reasoning  about  security  policies.  In  an  invited  workshop  talk  [Pfe05]  we  mapped  out  a 
constructive  logic  for  specifying  security  properties  of  distributed  systems.  We  analyzed  its  prop¬ 
erties  and  developed  several  criteria  to  establish  noninterference  between  principals  in  [GP06].  In 
an  approach  to  security  based  on  formal  logics  and  their  proofs,  this  is  a  critical  component. 

Practical  implementation.  We  implemented  our  designs  as  part  of  the  Grey  system  for  univer¬ 
sal  access  control  via  convergent  devices  [BGM+05].  This  system  is  currently  in  use  on  the  Cylab 
floor  of  the  Collaborative  Innovation  Center  at  Carnegie  Mellon  University,  where  students,  faculty, 
and  staff  use  smart  phones  to  control  access  to  their  offices  and  log  into  their  computers. 

The  experience  with  this  implementation  led  to  several  further  developments  on  the  logical  side. 
Specifically,  we  considered  linear  extensions  to  handle  consumable  (use-once)  certificates  [BBG+07] 
as  well  as  an  explicit  representation  of  the  knowledge  of  principles  [GBB+06].  These  advances 
were  only  partially  implemented  during  the  course  of  the  contract,  but  make  important  conceptual 
contributions. 

A  crucial  aspect  of  the  practical  implementation  side  is  proof  search,  because  access  to  a  resource 
is  granted  when  a  formal  proof  of  compliance  with  the  access  control  policy  is  presented.  For  the 
Grey  system  this  was  solved  through  a  distributed  backward-chaining  proof  search  engine  [BGR05]. 

For  extensions  with  consumable  resources,  we  developed  a  separate,  stand-alone  theorem  prover 
for  linear  logic  [CP05a,  Cha06].  Further  development  of  this  prover  required  a  number  of  funda¬ 
mental  advances  in  our  understanding  of  proof  search  for  linear  logic  [CP05b,  CPP06].  All  these 
insights  are  integrated  into  our  distributed  software. 

Specifications  for  Concurrent  Systems.  The  focus  in  this  thread  was  the  development  of  an 
operational  semantics  so  as  to  simulate  the  distributed  systems  specified  in  the  Concurrent  Logical 
Framework  (CLF).  In  order  to  make  this  feasible,  we  restricted  ourselves  to  a  large  fragment  of 
CLF  that  is  sufficient  to  express  much  of  the  proof-carrying  authorization  architecture  of  Grey. 
The  design  of  this  language  [LPPW05]  is  a  significant  result  of  the  work  under  this  grant.  The 
implementation  is  complete  and  publicly  available. 

A  sideline  was  the  analysis  of  causal  dependencies  in  a  logical  framework,  at  present  published 
only  as  a  technical  report  [LWP07]. 
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4  Software  Prototypes 

We  are  distributing  two  software  prototypes  developed  with  funds  from  this  grant. 

•  A  theorem  prover  for  first-order  linear  logic. 

•  An  implementation  of  the  LolliMon  logic  programming  language. 

Both  are  available  at  the  project  home  page  at  http://www.cs.cmu.edu/~self. 
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